b'                                 Pension Benefit Guaranty Corporation\n                                                                Office of Inspector General\n                                                1200 K street, N.W., Washington, D.C. 20005-4026\n\n\n\n\n                                                                       November 18,2009\n\n\nHonorable Peter Orszag\nDirector, Office of Management and Budget\nEisenhower Executive Office Building\n725 1ill Street, N.W. , Room 252\nWashington, DC 20503\n\nDear Mr. Orszag:\n\nThe Pension Benefit Guaranty Corporation (PBGC) Office of Inspector General (OIG)\ncontracted with Clifton Gunderson LLP , an independent public accounting firm, to perform,\nunder OIG oversight, the independent evaluation and review ofPBGC\'s information and\ntechnology security required by the Federal Information Security Management Act (FISMA),\nFederal Managers \' Financial Integrity Act (FMFIA) and the Office of Management and Budget\n(OMB). The review assessed the effectiveness ofPBGC\'s information security program and\npractices and determined compliance with the requirements of FISMA and related information\nsecurity policies, procedures, standards, and guidelines. Clifton Gunderson used the\nGovernment Accountability Office\'s (GAO) Federal Information Systems Controls Audit\nManual (FISCAM) as well as guidance issued by the National Institute of Standards and\nTechnology to assess the impact PBGC\'s significant IT systems and operations. Specifically, the\nareas of review included:\n    \xe2\x80\xa2 Entity-wide security program planning and management;\n    \xe2\x80\xa2 Access control;\n    \xe2\x80\xa2 Configuration management;\n    \xe2\x80\xa2 Segregation of duties; and\n    \xe2\x80\xa2 Contingency planning.\n\nOMB\'s new reporting guidelines, as prescribed by Memorandum M-09-29 have directly impacted\nour responses to a significant number of the FY 09 questions. In past years we did not opine on\n"adequacy and effectiveness," rather we reached consensus with PBGC at a much higher level. For\nexample; last year we limited our review to determing whether certification and accreditation (C&A)\ndocumentation for a system existed. This year we contracted for a detailed assessment of the\nadequacy and effectiveness ofPBGC\'s information and technology security. A number of\nsignificant deficiencies were identified which are reflected in our responses.\n\nPBGC\'s systemic security control weaknesses and the lack of an integrated financial\nmanagement system posed increasing and substantial risk to PBGC \'s ability to carry out its\nmission during FY 2009. Communication to PBGC\'s key decision makers did not convey the\n\n                                                                             LTR 2010-5/ FA-09-64-5\n\x0curgent need for decisive strategic decisions to correct fundamental weaknesses in PBGC\'s IT\ncontrols and security. Strategic IT decisions did not address these deficiencies and significant\nweaknesses.\n\nCurrent year audit work found deficiencies in the areas of security management, access controls,\nconfiguration management, and segregation of duties. Control deficiencies were also found in\npolicy administration, and the certification and accreditation of major applications and general\nsupport systems. An effective entity-wide security management program requires a coherent\nstrategy for the architecture of the IT infrastructure and the deployment of systems. The\nimplementation of a coherent strategy provides the basis and foundation for the consistent\napplication of policy, controls and best practices. PBGC first needs to develop and implement a\nframework to improve their security posture. This framework will require time for effective\ncontrol processes to mature. Based on the current assessment, Clifton Gunderson reported:\n\n   \xe2\x80\xa2   Information security policies and procedures were not fully disseminated and\n       implemented. PBGC is not able to effectively enforce compliance for Security Awareness\n       training. PBGC currently has a cumbersome and error prone manual process to account\n       for personnel who have completed security awareness training.\n   \xe2\x80\xa2   PBGC \'s configuration management controls are labor intensive and ineffective.\n       Weaknesses in the design ofPBGC\'s infrastructure and deployment strategy for systems\n       and applications created an environment where strong technical controls and best\n       practices cannot be effectively implemented.\n   \xe2\x80\xa2   Controls are not consistently implemented to appropriately segregate duties and grant\n       rights and privileges commensurate with job functions and responsibilities. PBGC does\n       not have a coherent strategy for enforcing segregation of duties through strong technical\n       controls in its applications and general support systems. Developers have access to the\n       production environment, which exposes PBGC to the risk of unauthorized modification\n       of applications, the circumvention of critical controls, and unnecessary access to sensitive\n       data.\n   \xe2\x80\xa2   PBGC\'s process for the completion ofC&A packages in accordance with NIST SP 800-\n       37, Guide for the Security Certification and Accreditation ofFederal Information\n       Systems is ineffective. Fundamental weaknesses in PBGC\'s infrastructure architecture\n       and design do not support the certification and accreditation of its information systems.\n       Furthermore, PBGC \' s information systems employ obsolete and antiquated technologies\n       that pose additional risk to the availability of financially significant systems. The review\n       determined that only 1 of the 13 C&A packages asserted that were completed in FY 2009\n       met NIST requirements. Significant deficiencies were noted in access controls and\n       configuration management for the remaining C&A packages.\n\nThe OIG and CIO \'s office worked diligently to reconcile our FY 09 FISMA responses. While\nwe were in agreement on most questions posed by OMB , we did not agree on the number of\nsystems for which contingency plans have been tested in accordance with policy. Specifically,\nthe CIO \'s office reported testing six systems and OIG reported four. We believe this\ndiscrepancy stems from two agency systems that do not have adequate storage capacity or server\nconfigurations at the COOP site. Therefore, in our view these systems do not meet the adequacy\nand effectiveness threshold as prescribed by OMB Memorandum M-09-29 , FY 2009 Reporting\n\n\n                                                                             LTR 2010-5/ FA-09-64-5\n\x0cInstructions for the Federal Information Security Management Act and Agency Privacy\nManagement.\nTo its credit, PBGC has taken steps in developing an overall strategy to improve its IT\narchitecture and infrastructure. Major steps include:\n\n    \xe2\x80\xa2   Completing an assessment of its Oracle database environment, initiating an IT\n        Infrastructure modernization program and implementing strategic decisions on IT\n        sourcing.\n    \xe2\x80\xa2   PBGC completed the identification of all systems that provide data required to prepare\n        the financial statements.\n    \xe2\x80\xa2   PBGC has substantially completed the logical database model including standard data\n        definitions and formats to be used throughout the Corporation.\n    \xe2\x80\xa2   PBGC has completed the development of segment architectures for the Consolidated\n        Financial Systems (CFS) and Premium Accounting. Segment Architectures will assist\n        PBGC in identifying and planning financial technology recommendations for\n        implementation and alternative analysis for business cases.\n\nPBGC has made a commitment to have executi ves at the highest level focus on IT, but much\nwork remains. To further assist PBGC with its security program development and\nimplementation, the OIG will continue to perform independent evaluations on an annual basis in\naddition to scheduled audits. Our work will include, but not be limited to, the following targeted\nareas:\n    \xe2\x80\xa2 Review of contractor provided services , as well as services from agencies;\n    \xe2\x80\xa2 Annual financial statement audit, to include an evaluation of PBGC general and system\n       controls;\n    \xe2\x80\xa2 Application reviews , in addition to those included in the annual financial statement audit;\n       and\n    \xe2\x80\xa2 Reviews of agency incident handling.\n\nAs always, the OIG will continue to work with and support PBGC through our reviews and\nanalysis related to the agency \'s mission and programs, including information assurance and\nsecurity.\n\n\n\n\nSincerel y,\n\n\n\nJoseph A. Marchowsky\nAssistant Inspector General for Audit\n\n\n\n\n                                                                            LTR 2010-5/ FA-09-64-5\n\x0c'